Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Tim Sadler
Tim Sadler
Connect Directly
E-Mail vvv

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?

Consider four factors and behaviors that impact a particular employee's risk, and how security training should take them into account.

Companies are spending significant resources trying to reduce security risk among employees. And they spend billions each year on training, yet major data breaches continue to make headlines, and human error remains the leading cause of a breach. Where's the disconnect?

Related Content:

6 Free Cybersecurity Training and Awareness Courses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

One major problem is that companies haven't adapted their security training as quickly as cybercriminals have evolved their attack methods. Cybercriminals increasingly target specific employees based on real-time factors like tenure, department, and location to make their scams more believable. To safeguard against these threats, security training must be as tailored and sophisticated as attack methods. 

There are a number of factors and behaviors that affect a particular employee's risk. Here are four of them, and how security training should take them into account.

Department and Job Function
Cybercriminals craft convincing scams by tailoring them based on an employee's department and role. They comb platforms like LinkedIn and company websites to find these details.

Security training should be tailored by job function and provide employees with real-world examples of the scams most likely to target them. For example, the CFO and finance department might be targeted by more business email compromise attacks like wire transfer fraud, and they should be trained on them accordingly. 

Human error also differs by department. For example, sales teams often have access to large swaths of personal information. Train these teams on how to avoid data loss risks, like sending documents or attachments to their personal emails.

Individualized training allows companies to prioritize training for employees with access to sensitive data, such as customer Social Security numbers and financial information, and for the departments that are most often targeted. For this reason, information on employees' roles and access should be automatically updated.

Employee Tenure
New employees are often specifically targeted by hackers, and social media makes this easy. Tessian found that 93% of US respondents post about a new job on social media. 

Because new employees are less familiar with colleagues and company security protocols, they are often less able to identify abnormal requests. Cybercriminals know this and take advantage of it. For example, they'll pose as an IT team member or customer service rep asking for login credentials to set up software or account permissions. 

Security training and tactics should focus on where new employees' vulnerabilities lie so they know what to look for. A careful review of security guidelines and best practices should be integrated into the onboarding process early on. 

Remote or In-Office Work
Security was a major challenge for many companies during the transition to remote work. Now they will face new hurdles with a complex shift to hybrid work. It's highly likely that cybercriminals will continue to target remote employees and take advantage of any uncertainty caused by the hybrid workplace.

Distraction is an important risk factor here. Over half (57%) of employees say they feel more distracted when working from home, while 47% cited distraction as the top reason for falling for a phishing scam. People tend to make more mistakes, like clicking a link without verifying an email sender, during these situations. It's also more difficult to verify a legitimate request from a colleague when you're not in the same location.

Employees should be trained on the specific security risks unique to working from home, in an office, or in a hybrid environment. 

Risk of Human Error
Security training often focuses only on risks like phishing scams that aim to trick employees. But simple human mistakes also lead to data breaches — for example, when an employee sends sensitive information to the wrong email recipient. The most effective tools will flag this behavior in real time as an employee is about to make a poor decision. Humans learn best in context, so training is best delivered in-the-moment rather than in lengthy modules that happen once per quarter.

Training has an important opportunity to make employees aware not only of general security risks, but also improve their individual behaviors over time. Do they download large amounts of sensitive data when they only need to access a small portion? Do they have a history of falling for phishing scams? Security reminders should be tailored to past behavior and delivered consistently. 

This is not about shaming or punishing individual employees. The goal is to arm them with specific, relevant knowledge based on their own workplace habits. 

Better for Employees, Better for Organizations
Tailored training is a win-win for both organizations and their employees. Instead of sitting through long, boring training sessions that interrupt productivity, employees' time can be spent only on the most relevant information. Training becomes more engaging and more memorable. Meanwhile, organizations save resources by making training more effective and efficient. The ultimate goal is to create a wider security culture that leaves the organization better protected overall. 

Cybercriminals are consistently refining their techniques to trick employees, while workers are put in charge of more and more data as companies digitally transform. Security techniques should, similarly, continually incorporate new methods and technologies. By analyzing unique risk factors and making security training both individualized and automated, security leaders can protect employees without disrupting their work.

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...